[This post was initially published on Sunday, Jan. 7, 2018 and updated on Monday, Jan. 15, 2018]
Dear valued Palo Alto Networks customer,
On December 5, 2017, Palo Alto Networks PSIRT published security advisory PAN-SA-2017-0027, along with the associated patch and recommended best practices, which addressed a critical vulnerability (CVE-2017-15944) affecting PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, and PAN-OS 7.1.13 and earlier. (Please note: We updated the 7.1 versions affected to align with our security advisory and clarify that PAN-OS 7.1.13 and earlier versions are affected.)
Since publication of the advisory, we have become aware of malicious activity around this vulnerability affecting a small number of organizations with internet-exposed management interfaces, which have not adopted the recommended patch. The elevated risk has prompted this special advisory recommendation.
ACTION RECOMMENDED IF:
You have not implemented the recommended PAN-OS version updates; or
Your organization has PAN-OS device management interfaces on an internet-facing public IP address.
If your organization has not patched and has management interfaces on an internet-facing IP address, your risk is significantly increased and immediate action is required.
Management interface protection best practices
Per the initial advisory published December 5, 2017, this vulnerability is patched in PAN-OS 6.1.19 and later, PAN-OS 7.0.19 and later, and PAN-OS 7.1.14 and later. If you have not patched, we strongly recommend you do so.
If you have not patched and also have internet-facing device management on a public IP address, the recommendation to patch is urgent, and we also recommend immediately implementing management interface best practices.
Note: If you have not intentionally exposed your firewall management interface to the internet, it may be exposed due to an inadvertent misconfiguration of your GlobalProtect portal or gateway, wherein the “http” or “https” services on an Interface Management profile are attached to the GlobalProtect portal or gateway interface. For more information on this, please refer to the Best Practices for Securing Administrative Access technical document or contact the Palo Alto Networks Global Customer Support Team via the contact information below should you have any questions.
As a best practice for all customers, we recommend that no one expose the management web UI of their firewall devices to the internet, as this can introduce additional risk for unpatched devices. Best practice recommendations also include:
Restricting access to the firewall management web UI interfaces to dedicated management networks through VLAN isolation and/or IP address ACLs.
If remote access to firewall management interfaces over the internet is required, consider achieving this through a secure VPN connection.
If you have an internet-facing management interface or profile, protect management traffic by passing it through the data plane of the firewall and employ Threat Prevention and SSL Decryption. [When PAN-SA-2017-0027 was posted, we released IPS signatures (#40483 and #40484) that block attempted exploitation of CVE-2017-15944; ensure these signatures are set to “block” to prevent successful attacks.]
For any further questions or assistance, please contact the Palo Alto Networks Support Team at https://support.paloaltonetworks.com and include “CVE-2017-15944” in the case subject line.
The Palo Alto Networks PSIRT Team
Friday, Jan. 12, 2018
Saturday, Jan. 13, 2018
Added clarification to the third best practice recommendations bullet.
Monday, Jan. 15, 2018
Added a clarification to note that PAN-OS 7.1.13 and earlier versions are affected by CVE-2017-15944.
Added additional information regarding GlobalProtect portal/gateway configuration.
Q: What is the issue?
A vulnerability we patched in early December 2017 (CVE-2017-15944 / PAN-SA-2017-0027) can enable an attacker to remotely execute code on the management interface of an unprotected or unpatched firewall.
This vulnerability applies to customers who have their management web interface (GUI) exposed to the Internet. Customers who are running unpatched software and have their management web interface (GUI) exposed could potentially have their system compromised. We have also seen examples where the management interface (GUI) was inadvertently exposed due to a Global Protect misconfiguration. The following Knowledge Base articles provide guidance on the recommended configuration:
CVE-2017-15944 is Common Vulnerabilities and Exposures designation for the actual vulnerability. This system is used by the security community to uniquely identify vulnerabilities.
The security advisory PAN-SA-2017-0027 provides information on the vulnerability CVE-2017-15944, including how to remediate the vulnerability with the patch we have provided.
Q: What Palo Alto Networks products are impacted?
Palo Alto Networks firewalls running non-current PAN-OS versions or have the management interface (GUI) exposed to the internet are at risk. Users following best practices to protect the management interface will be sufficiently protected from this vulnerability even when running down-rev code versions. The Palo Alto Networks Security advisory detail page has the full list of impacted products here: https://securityadvisories.paloaltonetworks.com/Home/Detail/102
Q: What are the best practice guidelines for the management interface?
We recommend that customers follow the best practice guidelines for securing the management interface. Those guidelines are available here.
Q: If I do not want to remove management from my external interface, who should I contact?
This is up to the administrator of the firewall. Palo Alto Networks recommends following the published best practices to secure your firewall.
Q: Will upgrading to the latest version cause any other issues on my firewalls?
Upgrading the firewall to the latest version of software is part of our best practice recommendations. However, we realize that some customers may not be able to do so right away. Leveraging Panorama and other automation tools can assist in simplifying and expediting upgrades in large scale or complex installations.
It’s also possible that upgrading the PAN-OS software version may introduce changes in behavior that could impact how the firewall interacts with other devices or with configured policies. In this case, we recommend that users of our equipment stay on recent versions of the PAN-OS release to minimize any potential impact. The Release Notes for all supported PAN-OS software versions are available to review to help minimize any disruptions when changing/upgrading versions.
Q: Do I need to upgrade my Panorama management server to the latest version as well?
We recommend running the current version of Panorama to help minimize the risk of attack vectors. In some cases, depending on the PAN-OS version you are upgrading to, it may be necessary to upgrade Panorama too. Our general guidance is to have Panorama running the same version as the highest revision of PAN-OS software that it’s managing.
Q: I’m using my firewall as a syslog server for feeds for User ID. If I lock down my access-list on my management interface, do I need to include the server IP that is sending me these logs?
Yes, in addition to the additional servers sending logs for User-ID, you should also permit the IP address of each Firewall Administrator, the Panorama management address, and any SNMP monitoring servers. You can use network notation to simplify this task (e.g. allow 192.168.1/0/24 instead of all addresses in the address space). However, doing this reduces the security of the system moreso than just allowing the specific addresses. Keep in mind that many network addresses are assigned by DHCP, so allowing specific addresses for the administrator may change from time to time.